[FLUG] Re: iptables -j LOG
- From: M.Luzietti@xxxxxxxxxxx
- To: fanolug@xxxxxxxxxxxxx
- Date: Thu, 11 Apr 2002 08:30:42 +0200
Mailing List del Fortunae LUG
=============================
Soluzione trovata, vi inoltro un post trovato in un forum che mi ha
risolto:
Hello,
Common configuration problem.
The problem is basically that when you send a request to your www it is
"redirected" to your internal machine, 192.168.1.2. Then when 192.168.1.2
wants to reply it sees that the requesting machine, 192.168.1.3, is on the
same subnet so it replies directly. As a result the Synch numbers don't
match up, and when a reply is sent back to the requesting
machine(192.168.1.3) it immediately sends a reset to 192.168.1.2 to try
and resynch the connection. Check out tcpdump to see this.
The packet needs to pass back through the firewall in order to make this
work properly. Here's an example:
## DNAT ##
/usr/local/bin/iptables -t nat -A PREROUTING -i eth0 -p tcp \
-s 192.168.1.0/24 -d 1.2.3.4 --dport 80 \
-j DNAT --to 192.168.1.2:80
## SNAT ##
/usr/local/bin/iptables -t nat -A POSTROUTING -o eth0 -p tcp \
-s 192.168.1.0/24 -d 192.168.1.2 --dport 80 \
-j SNAT --to 192.168.1.1
So, basically, we're changing both source and destination IP addresses
under only specific circumstances. As far as 192.168.1.2 is concerned,
it's talking to the firewall throughout the whole transfer.
This, uh, works. Some wierdnesses have popped up with this config. If at
all possible, throw another NIC in the box and put the web server on a
DMZ, on another subnet. May save some headaches
-Obsid
http://www.sentry.net/~obsid/
Semplice no?
Saluti e baci, Sco
--
"Una Slackware e' per sempre ..."
Other related posts:
